Hi All,  We have request from a Cybersecurity team to monitor the Windows Event Viewer logs in Splunk, my question is how to configure the monitoring stanza to get the event data into splunk. Event Viewer (Local) --->Application and Services Logs --> OpenSSH --> Admin Event Viewer (Local) --->Application and Services Logs --> OpenSSH --> Operational  When I check the properties to find the exact Log Path details I could see like this  %SystemRoot%\System32\Winevt\Logs\OpenSSH%4Operational.evtx %SystemRoot%\System32\Winevt\Logs\OpenSSH%4Admin.evtx My question is how to write the monitoring stanza for this path and define the sourcetype for the same. [WinEventLog://Application/OpenSSH/Operational] sourcetype=winEventLog:OpenSSH:Operational index=test disable=0 [WinEventLog://Applicaion/OpenSSH/Adminl] sourcetype=winEventLog:OpenSSH:Admin index=test disable=0 Please guide me on this 

Hello, I have Splunk Stream app installed on my Search Head (Deployment Server) which controls the Stream Forwarders deployed on my Indexers (Deployment Clients). Even though app is deployed and I receive stream data, whenever I change the configuration of my streams (remove fields from protocols, add IP blacklist filters etc) the configuration does not get applied on Stream Forwarders even though I have tried to restart them. No IP filtering is applied nor protocol fields are removed. Any way I can troubleshoot that? Thanks Chris

I am using mobile linkage with splunk secure gateway. I modified the file etc/apps/splunk_secure_gateway/bin/spacebridgeapp/alerts/device_role_mapping.py as below to enable up to 100 accounts. AS-IS async def get_registered_devices(auth_header, user_list, async_kvstore_client, max_batch_size=20): TO-BE async def get_registered_devices(auth_header, user_list, async_kvstore_client, max_batch_size=100): Please check the reason for the limit of 20 accounts, whether there is any problem even if you change it to 100 as above, and if there is a problem, the possible impact.

While searching with time range, timestamp append 5:30 UTC time in query. I don't want  to append 5:30 using '$tokEarliest1$' and '$tokLatest1$' in search query. Below are the code-   <form theme="dark"> <label>CIS Usage Dashboard - Event Rate</label> <search> <query> |makeresults </query> <earliest>$timepicker.earliest$</earliest> <latest>$timepicker.latest$</latest> <progress> <eval token="tokEarliest">strptime($job.earliestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval> <eval token="tokLatest">strptime($job.latestTime$,"%Y-%m-%dT%H:%M:%S.%3N%z")</eval> <eval token="tokEarliest1">strftime(tokEarliest,"%Y-%m-%d %H:%M:%S.%3N")</eval> <eval token="tokLatest1">strftime(tokLatest,"%Y-%m-%d %H:%M:%S.%3N")</eval> </progress> </search> <description>draft event ingestion rate by wfm at day or hour level</description> <fieldset submitButton="true" autoRun="false"> <input type="time" token="timepicker" searchWhenChanged="false"> <label>Time Range</label> <default> <earliest>-24h@h</earliest> <latest>now</latest> </default> </input> <input type="dropdown" token="stack"> <label>Select the Stack</label> <choice value="cust01">Kronos Customer Stack (CUST)</choice> <default>cust01</default> <initialValue>cust01</initialValue> <fieldForLabel>stack</fieldForLabel> <fieldForValue>stack</fieldForValue> </input> <input type="dropdown" token="env" searchWhenChanged="true"> <label>Environment</label> <fieldForLabel>env</fieldForLabel> <fieldForValue>env</fieldForValue> <default>prd01</default> <search> <query>index=cust-prd-wfd-wfl-* |eval env = mvindex(split(host, "-"), 1) | stats count by env</query> <earliest>-15m</earliest> <latest>now</latest> </search> </input> <input type="dropdown" token="cluster"> <label>Select the WFM Cluster</label> <fieldForLabel>cluster</fieldForLabel> <search> <query>index=*-wfd-wfm-ilb | rex field=host "\w+\d{2}\-(?&lt;env&gt;\w+)\-ins\d+\-(?&lt;cluster&gt;wfm\d+)"|search host="*$env$*" | stats count by cluster | fields cluster</query> <earliest>-15m</earliest> <latest>now</latest> </search> <fieldForValue>cluster</fieldForValue> <choice value="">All</choice> <default>All</default> </input> <input type="dropdown" token="timespan"> <label>Time Span</label> <choice value="1h">Hour</choice> <choice value="1d">Day</choice> <initialValue>1d</initialValue> </input> </fieldset> <row> <panel> <search id="basedatesearch"> <query>| koogledimen service=WFMPPASQuery action=QueryAllWFMAtOnce scope="cust01-$env$" query="select date(created_timestamp) , sum(case when status = 1 then 1 else 0 end) as success, sum(case when status = 0 or status = 2 and dispatch_count &lt; 4 then 1 else 0 end) as processing, sum(case when status = 2 and dispatch_count = 4 then 1 else 0 end) as error from domain_event_listener_status where listener_id='CIS_PUSH_LISTENER' and created_timestamp &gt;= '$tokEarliest1$' and created_timestamp &lt;= '$tokLatest1$' group by date(created_timestamp)"| eval envstatus=if(like(scope, "%$env$%"), 1, 0)| eval wfmstatus=if(like(scope, "%$cluster$%"), 1, 0)| where envstatus=1 and wfmstatus=1 </query> <earliest>-24h@h</earliest> <latest>now</latest> </search> <title>Events Count by WFM - Success</title> <chart> <search base="basedatesearch"> <query> | chart sum(success) by date,scope</query> </search> <option name="charting.axisTitleX.text">WFM</option> <option name="charting.axisTitleY.text">Event Counts</option> <option name="charting.chart">line</option> <option name="charting.drilldown">none</option> <option name="refresh.display">progressbar</option> </chart> </panel> </row> </form>   Have any solution for this ?  

Hi Appdynamics, I'm trying to enable thread correlation support Netcore agent, but I couldn't find the steps by referring to the link. "https://docs.appdynamics.com/21.7/en/application-monitoring/install-app-server-agents/net-agent/net-microservices-agent/net-core-microservices-agent-support". @Anonymous  Please share the document containing the steps to enable thread support for the Netcore microservices agent. Thanks in advance.

Hi, We have requirement where we have to get the start till end log of one process and when we get the log we can see the logs of other process as well which is running in parallel. So we want to get the lines of only the process which we have to work on. The process number changes at every run. Sample Log: 2022-02-14 02:30:00,046 [Worker-3] DEBUG User job started 2022-02-14 02:30:00,063 [Worker-3] DEBUG Calling importData 2022-02-14 02:30:00,063 [Worker-3] DEBUG Initializing External DB connection 2022-02-14 02:30:00,065 [Worker-2] DEBUG another process started 2022-02-14 02:30:00,067 [Worker-3] DEBUG url before binding 2022-02-14 02:30:00,082 [Worker-2] DEBUG ExistingAccount 2022-02-14 02:30:00,083 [Worker-2] DEBUG query is array 2022-02-14 02:30:00,097 [Worker-2] DEBUG Done.... assigning access for account 2022-02-14 02:30:00,524 [Worker-2] DEBUG closing connection 2022-02-14 02:30:00,547 [Worker-2] Task Complete 2022-02-14 02:30:00,560 [Worker-3] DEBUG inside finally... 2022-02-14 02:30:00,567 [Worker-3] DEBUG sending Notification Email 2022-02-14 02:30:00,567 [Worker-3] DEBUG User job ended we have used below search to get above log : index=test sourcetype=debugLog | transaction startswith="User job started" endswith="User job ended" we want the output as below. So how we can add extra logic to above search to get below output? 2022-02-14 02:30:00,046 [Worker-3] DEBUG User job started 2022-02-14 02:30:00,063 [Worker-3] DEBUG Calling importData 2022-02-14 02:30:00,063 [Worker-3] DEBUG Initializing External DB connection 2022-02-14 02:30:00,067 [Worker-3] DEBUG url before binding 2022-02-14 02:30:00,560 [Worker-3] DEBUG inside finally... 2022-02-14 02:30:00,567 [Worker-3] DEBUG sending Notification Email 2022-02-14 02:30:00,567 [Worker-3] DEBUG User job ended  

Hi, how can i correlate events from different indexes when both( field names and  values) are different ? For example: I have a some app logs  in an index=id1 . There is field called user in this index   which has values like: SmithJ JohnK  Now i want to find out what is the IP address of these users from our firewall index.  But  In the Firewall index,  the user names are in following format: Field Name:  PanOSSourceUserName Value:  <Domain>\SmithJ Field Name:  PanOSSourceUserName Value:  <Domain>\JohnK As you can see, the firewall index has names appended by our <domain name>\ while the app index doesn't have domain name in the user field.    There are other fields called src_ip and Country in firewall events. How can i craft  a search that takes the user field from app index and compares/ correlates that with the PanOSSourceUserName field from Firewall index and accordingly displays the src_ip of the user .  Hope i am clear. End result:  Table or Stats whatever works with following columns  _time user PanOSSourceUserName src_ip Country               Thanks in advance   

Hello,  I have a question can a single value panel be clickable in any direction? For example, i applied a drilldown to that single value and i want to click the panel instead of the value itself. Instead of clicking the middle, is it possible in all direction ?  Thank you for your help !

I have added a dropdown in my panel as shown below. My issue is that regardless of which option I chose it shows red in the pie chart and 100%. I would like to know how I can change colors by the selection and also for the percentage to update based on the selection from the drop down.

I have a Dashboard that has multiple Dropdowns (Environment, Time Range, Application, Search Parameters) and I have a submit button after all of these. The Application Dropdown is special in the fact that there are 2 applications that need to have the application tag added to the end of it in order to search correctly. Ex, If I want to search for an application most of them look like "index=name source=name app=appname" but for 2 of the applications it needs to look like "index=name source=name app=appname$environment$" I have figured out how to alter the token value based on whether the special apps are chosen using : <input type="dropdown" token="application" searchWhenChanged="false">     <choice value="normalapp1">Normal App 1</choice>     <choice value="normalapp2">Normal App 1</choice>     <choice value="specialapp1">Special App 1</choice>     <choice value="specialapp2">Special App 2</choice>     <change>         <condition value="specialapp1">             <set token="application">specialapp1$environment$</set>         </condition>         <condition value="specialapp2">             <set token="application">specialapp2$environment$</set>         </condition>     </change> </input> The problem is that these changes are nested in this one dropdown so it only works properly when I change the application dropdown and not every time I press submit. Does anybody have a solution for updating all of the dropdowns every time the Submit button is pressed?

Hi All,  I am new to splunk. We are using splunkcloud and version 8.2.  We are exploring how to ingest gitlab audit logs in splunk. I checked gitlab project audit add on is not available in splunkcloud. I have tested HEC endpoints. For me my HEC working from curl https request.  But I am clueless how can I ingest gitlab logs to splunk and keep this process realtime and automated. Please suggest.   Thanks in advance.

We've done a new install of IT Essentials work, and was trying to add entities, but don't have the create entity button. My account has itoa_admin, itoa_analyst, itoa_user roles assigned. I do have a create entity type button, but there are no configured entity types. I have installed the AWS & nix content packs. What am I missing?

I'm struggling with some field mapping and not exactly sure the best way to go about this.  Below are two different event examples from the sourcetype="oracle:listener:text".  I'm wanting the Service and Version fields extracted.  I am able to get the Service extracted at search time using regex, but having difficulties with getting the version field.  Using the Splunk field extractor I can get this field using two different regex examples, but it doesn't allow me to add two field examples.  I receive the following: "The extraction failed. If you are extracting multiple fields, try removing one or more fields. Start with extractions that are embedded within longer text strings." Able to extract SERVICE field using REGEX: ^(?:[^=\n]*=){8}(?P<SERVICE_NAME>\w+) 28-APR-2022 10:39:03 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=ora31.test.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN2)(VERSION=318767104)) * status * 0   Able to extract VERSION field using REGEX: (?:[^\.\n]*\.){4}\w+\)\(\w+=\d+\)\)\)\(\w+=(?P<VERSION_NUMBER>\d+) 28-APR-2022 10:39:24 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=ora31.test.com)(USER=oracle))(COMMAND=status)(ARGUMENTS=64)(SERVICE=(ADDRESS=(PROTOCOL=TCP)(HOST=ora31-vip.test.com)(PORT=1521)))(VERSION=318767104)) * status * 0 Able to extract another VERSION field from a different event example using the following REGEX: ^(?:[^=\n]*=){9}(?P<VERSION_NUMBER>\d+) 28-APR-2022 10:39:03 * (CONNECT_DATA=(CID=(PROGRAM=)(HOST=ora31.test.com)(USER=grid))(COMMAND=status)(ARGUMENTS=64)(SERVICE=LISTENER_SCAN2)(VERSION=318767104)) * status * 0   I'm using the latest Splunk Add-on for Oracle Database (https://splunkbase.splunk.com/app/1910/ version 4.1.0) that collects and ingest data from Oracle Database Server. Looking at the props.conf for Splunk_TA_oracle, it doesn't appear it does anything for these two fields I'm wanting. [oracle:listener:text] SHOULD_LINEMERGE = False LINE_BREAKER = ([\r\n]+)\d+-\w{3}-\d{4}\s+\d+\:\d+\:\d+ KV_MODE = None TIME_PREFIX = ^ MAX_TIMESTAMP_LOOKAHEAD = 20 TIME_FORMAT = %d-%b-%Y %H:%M:%S EVAL-app = "oracle" REPORT-ORACODE = ORACODE REPORT-CLIENTIP_listener = CLIENTIP_listener REPORT-DESTIP_listener = DESTIP_listener REPORT-DESTPORT_listener = DESTPORT_listener REPORT-CLIENTUSER_listener = CLIENTUSER_listener REPORT-USER_listener = USER_listener REPORT-PROGRAM_listener = PROGRAM_listener REPORT-STATUS_listener = STATUS_listener EVAL-action = if(STATUS=0, "success", "failure") FIELDALIAS-dest = DESTIP as dest FIELDALIAS-src=CLIENTIP as src FIELDALIAS-src_user = CLIENT_USER as src_user, CLIENT_USER as user LOOKUP-ORACODE = oracle_ora_code_lookup ORACODE OUTPUTNEW DESCRIPTION, CAUSE, ACTION as oracle_listener_action FIELDALIAS-port = DESTPORT as port Is it worth trying to get these fields mapped adjusting some things in the oracle app or should I just focus on extracting the fields at search time instead?

i have a query to pull out stats and counts based on incoming applictiond and request path  it gave me stats when i tried to pull for month jan,feb but its not giving me back data for March till now  is it issue with query or something with splunk tool    below is my search query pattern  mysearch query | bucket _time span=day| stats count by attributes.headers.client_id, attributes.requestPath,_time | spath input=log